Client Alert
White House Memorandum Elaborates on Prior Executive Order with Requirements for “High-Impact AI” Used by Federal Agencies
Client Alert
May 2, 2025
On April 3, 2025, the Office of Management and Budget issued a memorandum expounding upon the January 23, 2025 Executive Order (EO) 14179, Removing Barriers to American Leadership in Artificial Intelligence, to put forth new requirements for the implementation of Artificial Intelligence (AI) in U.S. federal agencies, with specific requirements where the AI use is considered “high impact.” The memorandum, Accelerating Federal Use of AI through Innovation, Governance, and Public Trust (“Memorandum”), defines high-impact AI as “AI with an output that serves as a principal basis for decisions or actions with legal, material, binding, or significant effect” in areas including human health and safety. Memorandum, at 19.
Asserting that the healthcare industry is an area where AI usage is high-impact, the administration’s Memorandum requires healthcare agencies to engage in specific minimum-risk management practices to comply with EO 14179. At a high level, the OMB Memorandum specifies that federal agency use of AI must “prioritize the use of AI that is safe, secure, and resilient.” Memorandum, at 3. Further, the anticipated federal agency actions must ensure “appropriate safeguards are in place to protect privacy, civil rights, and civil liberties, and to mitigate any unlawful discrimination, consistent with the AI in Government Act,” enacted in 2020. Memorandum, at 4.
In healthcare contexts, the Memorandum states that AI is presumed to be high-impact when it affects:
- medically relevant functions of medical devices;
- patient diagnosis, risk assessment, or treatment;
- allocation of care in the context of public insurance; and
- control of health insurance costs and underwriting.
Memorandum, at 21.
Minimum Risk Management Practices Required for High-Impact AI
Federal agencies using high-impact AI in healthcare must implement the following practices:
- First, federal agencies must conduct pre-deployment testing to simulate expected real-world outcomes. Pre-deployment testing will allow agencies to identify the expected benefits of AI use, while also allowing agencies to prepare for potential risks with risk mitigation plans. For pre-deployment testing, agencies without access to AI source code, models, or data should either query the AI service for outputs or provide evaluation data to the vendor for results. Memorandum, at 15–16.
- Next, agencies must complete AI impact assessments. These assessments, which must be documented, should include the intended purpose and expected benefit of the AI; an analysis of the relevant data and model capability; the potential impacts of the usage of AI on privacy, civil rights, and civil liberties; reassessment scheduling and procedures; cost analysis; independent review by someone who is not involved in the AI development; and a signed risk acceptance from the person accepting the risk. Memorandum, at 16–17.
- Agencies are also required to conduct ongoing monitoring of performance for potential adverse impacts, including through periodic human review. Monitoring systems must be designed to detect unforeseen circumstances and changes to AI systems post-deployment. The Memorandum also requires that agencies develop monitoring processes that allow for traceability and ensure transparency where possible. Memorandum, at 17.
- Agencies must also ensure that operators of AI systems have sufficient training and oversight, with periodic training for each AI system. Agencies should also implement systems to properly assess an operator’s capability to manage associated risks. Memorandum, at 17.
- Further, agencies should ensure there is human oversight for healthcare AI applications and implement fail-safe mechanisms to reduce the risk of significant harm. Memorandum, at 17.
- The Memorandum also directs agencies to offer consistent remedies or appeals. Agencies should provide timely human review and opportunities for appeal to individuals who have been negatively affected by high-impact AI decisions. Remedy processes should be designed to minimize unnecessary administrative burdens. Memorandum, at 17.
- Finally, agencies must collect and incorporate feedback from end users and the public. Agencies must use this feedback to inform future decision-making in the design, development, and use of the AI. Memorandum, at 17.
Governance Requirements
To support these practices, federal healthcare agencies must:
- designate a Chief AI Officer (CAIO) within 60 days;
- for CFO Act agencies, establish an AI Governance Board within 90 days;
- develop AI strategies and compliance plans within 180 days;
- update internal IT, data, cybersecurity, and privacy policies within 270 days;
- develop a generative AI policy within 270 days; and
- update AI use case inventories.
Memorandum, at 10–11.
Exemptions and Flexibility
Despite the Memorandum’s guidelines, there is some flexibility in the requirements:
- Pilot programs may be exempt if
- the program is of limited scale and duration;
- the CAIO certifies the pilot program;
- individuals who interact with the AI can opt in/out when possible; and
- minimum risk-management practices are applied where practicable.
Memorandum, at 15.
Additionally, the CAIO may waive specific requirements if fulfilling them would increase overall risks, the requirements would create impediments to critical operations, or the waiver is certified annually and can be revoked. Memorandum, at 15.
Implementation Timeline
Healthcare agencies must implement minimum risk-management practices for high-impact AI within 365 days of the Memorandum’s issuance — by April 2026. Healthcare agencies must also be prepared to report compliance to the OMB. Memorandum, at 14–15.
Implications for AI Vendors and the Healthcare Industry
The scope of the Memorandum raises the question of whether companies developing AI tools as vendors, e.g., government contractors for federal agencies, will be held to new contractual standards for the quality of the products they sell to federal agencies that are covered by this OMB Memorandum. What is also not clear from the Memorandum is whether the implementation requirements that the Memorandum places on federal agencies will directly or indirectly impact how healthcare providers; managed care companies; and life sciences companies, such as medical device companies and diagnostic test manufacturers; incorporate AI into the way they deliver healthcare services to patients or develop products and devices. Industry stakeholders are well advised to closely follow developments at key federal agencies with regulatory authority over their products and services.
Please reach out to Winston’s Healthcare and Life Sciences Industry Group with any questions.